SSL Decryption Fails from Unexpected Message Client "hs

SSL Decryption Fails from Unexpected Message Client "hs_type 0"

22455

Created On 04/29/19 09:07 AM - Last Modified 07/22/25 01:07 AM

SSL Forward Proxy

Decryption

PAN-OS

Symptom

This article explains the scenario where SSL decryption fails with error "unexpected message client hs_type 0" on a Palo alto networks firewall.

Environment

NGFW
Supported PANOS versions
SSL Forward Proxy decryption

Cause

Consider an example as mentioned below where the SSL decryption is configured on the firewall, and the source is 192.168.35.66 connecting to server 203.213.110.163.

> show session all filter destination 203.213.110.163

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
456823       web-browsing   DISCARD FLOW  NS   192.168.35.66[48282]/L3-Trust/6  (10.129.82.35[61442])
vsys1                                          203.213.110.163[443]/L3-Untrust  (203.213.110.163[443])

> show session id 456823

Session          456823

        c2s flow:
                source:      192.168.35.66 [L3-Trust]
                dst:         203.213.110.163
                proto:       6
                sport:       48282           dport:      443
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        s2c flow:
                source:      203.213.110.163 [L3-Untrust]
                dst:         10.129.82.35
                proto:       6
                sport:       443             dport:      61442
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

        start time                           : Wed Aug 16 16:45:54 2017
        timeout                              : 15 sec
        total byte count(c2s)                : 2568
        total byte count(s2c)                : 3605
        layer7 packet count(c2s)             : 20
        layer7 packet count(s2c)             : 8
        vsys                                 : vsys1
        application                          : web-browsing  
        rule                                 : Trust-to-Untrust
        session to be logged at end          : True
        session in session ager              : False
        session updated by HA peer           : False
        address/port translation             : source
        nat-rule                             : Trust-NAT(vsys1)
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : computer-and-internet-info
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : False
        captive portal session               : False
        ingress interface                    : ethernet1/3
        egress interface                     : ethernet1/1
        session QoS rule                     : N/A (class 4)
        tracker stage firewall               : proxy decrypt failure  
        end-reason                           : decrypt-error

> debug dataplane packet-diag show setting

--------------------------------------------------------------------------------
Packet diagnosis setting:
--------------------------------------------------------------------------------
Packet filter
  Enabled:                   yes
  Match pre-parsed packet:   no            
  Index 1: 192.168.35.66[0]->203.213.110.163[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
           ingress-interface any, egress-interface any, exclude non-IP
  Index 2: 203.213.110.163[0]->10.129.82.35[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
           ingress-interface any, egress-interface any, exclude non-IP
  Index 3: 203.213.110.163[0]->192.168.35.66[0], proto 0
           ingress-interface any, egress-interface any, exclude non-IP
           ingress-interface any, egress-interface any, exclude non-IP
--------------------------------------------------------------------------------
Logging
  Enabled:                   no
  Log-throttle:              no
  Sync-log-by-ticks:         yes            
  Features:
    flow    : basic 
    proxy   : basic timer detail 
    ssl     : basic

The decryption fails because the server is sending a "Hello request" that is causing the firewall to end the session since it is not supported. The following errors are seen in the packet-diag logs when the detailed debugging is enabled "hs_type 0" as seen below.

2017-08-16 16:45:55.392 +0800 Error: pan_ssl3_process_handshake_msg(pan_ssl3.c:1022): unexpected message client hs_type 0 
2017-08-16 16:45:55.392 +0800 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:237): pan_ssl3_process_handshake_msg() failed -1
2017-08-16 16:45:55.392 +0800 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:591): pan_ssl_parse_record() failed
192.168.35.66[48282]-->203.213.110.163[443]
2017-08-16 16:45:55.392 +0800 pan_proxy_handle_error(pan_proxy.c:1878): handle error -1
2017-08-16 16:45:55.392 +0800 debug: pan_proxy_ssl_check_block_error(pan_proxy.c:1862): In session(456823), encounters error_id(-1 PAN_SSL_ERROR_GENERAL), action: skip
2017-08-16 16:45:55.392 +0800 debug: pan_proxy_ssl_proc_data(pan_proxy_ssl.c:1010): pan_ssl_proxy_parse_data() failed -1, not block

The screenshot below shows the server is sending a “Hello Request” message, asking the client to re-initiate the SSL/TLS handshake

Resolution

Decryption session is being discarded in these scenarios because the server is sending a "Hello request" and this is expected behavior since the "Hello request" from the server is not supported.

Additional Information